Re: [tor-relays] BadExit: Rerouting exit relays detected (1) 45.63.11.98
On 11.10.2020 22:41, Roger Dingledine wrote: Right, in this particular case, we already run a scanner which provides public output: it's the tordnsel scanner, and check out https://check.torproject.org/exit-addresses Damn it, the boy was hardworking. ExitNode 385527185E26937D05E0933DD29FF1699056CAF3 Published 2020-10-11 11:54:00 LastStatus 2020-10-11 17:00:00 ExitAddress 185.220.102.252 2020-10-11 17:52:50 ExitAddress 45.154.35.218 2020-10-11 17:13:21 ExitAddress 45.63.11.98 2020-10-11 09:19:06 ExitAddress 51.158.111.157 2020-10-10 23:51:28 ExitAddress 45.154.35.219 2020-10-10 20:14:28 ExitAddress 185.220.101.207 2020-10-10 18:10:02 ExitAddress 185.140.53.7 2020-10-10 15:04:52 ExitAddress 23.129.64.205 2020-10-10 09:14:15 ExitAddress 23.129.64.100 2020-10-10 06:10:30 ExitAddress 185.220.100.240 2020-10-10 03:41:38 ExitAddress 23.129.64.207 2020-10-09 21:04:35 ExitAddress 23.129.64.209 2020-10-09 19:31:42 ExitAddress 23.129.64.212 2020-10-09 15:18:55 ExitAddress 185.107.47.215 2020-10-09 12:02:09 ExitAddress 45.154.35.216 2020-10-09 09:11:20 ExitAddress 162.247.74.7 2020-10-09 08:10:41 ExitAddress 45.154.35.214 2020-10-09 04:27:16 ExitAddress 130.225.244.90 2020-10-09 03:34:52 ExitAddress 46.165.245.154 2020-10-08 22:09:32 ExitAddress 185.220.102.248 2020-10-08 21:13:44 ExitAddress 45.154.35.211 2020-10-08 15:17:28 ExitAddress 45.154.35.213 2020-10-08 14:52:41 ExitAddress 185.140.53.9 2020-10-08 12:42:16 ExitAddress 145.239.92.26 2020-10-08 11:34:41 ExitAddress 185.140.53.5 2020-10-08 09:39:55 ExitAddress 51.195.150.250 2020-10-08 05:42:51 ExitAddress 185.220.102.247 2020-10-08 04:38:46 ExitAddress 51.83.139.56 2020-10-08 02:41:35 ExitAddress 216.239.90.19 2020-10-07 22:10:28 ExitAddress 35.0.127.52 2020-10-07 21:46:15 ExitAddress 185.220.102.241 2020-10-07 20:04:33 ExitAddress 45.154.35.220 2020-10-07 17:28:29 ExitAddress 209.141.39.33 2020-10-07 15:49:11 ExitAddress 185.220.101.10 2020-10-07 12:39:45 ExitAddress 185.220.101.200 2020-10-07 05:12:35 ExitAddress 51.195.149.132 2020-10-06 19:26:01 ExitAddress 45.154.35.212 2020-10-06 18:39:37 ExitAddress 179.43.167.226 2020-10-06 12:55:24 ExitAddress 185.220.102.242 2020-10-06 09:04:52 ExitAddress 162.247.74.201 2020-10-05 11:44:18 ExitAddress 45.154.35.210 2020-10-05 09:59:58 ExitAddress 51.75.144.43 2020-10-05 01:24:36 ExitAddress 185.220.100.250 2020-10-04 12:52:37 ExitAddress 94.142.244.16 2020-10-04 09:26:13 ExitAddress 45.154.35.215 2020-10-04 08:15:17 ExitAddress 185.220.102.243 2020-10-03 20:13:45 ExitAddress 5.79.109.48 2020-10-03 16:56:19 ExitAddress 54.36.108.162 2020-10-02 18:11:45 ExitAddress 209.141.61.129 2020-10-01 21:48:30 ExitAddress 18.27.197.252 2020-10-01 18:26:32 ExitAddress 51.178.43.104 2020-10-01 15:39:56 ExitAddress 185.220.100.252 2020-10-01 07:57:36 ExitAddress 185.220.102.8 2020-10-01 06:29:39 ExitAddress 51.81.83.151 2020-09-30 21:55:17 ExitAddress 185.220.102.253 2020-09-30 17:52:13 ExitAddress 37.120.152.116 2020-09-30 13:25:01 ExitAddress 162.247.74.200 2020-09-30 11:02:05 ExitAddress 185.220.100.241 2020-09-30 10:44:36 ExitAddress 45.129.56.200 2020-09-30 07:52:31 ExitAddress 171.25.193.77 2020-09-29 17:15:03 ExitAddress 185.220.101.205 2020-09-28 22:13:13 ExitAddress 198.251.89.136 2020-09-28 15:27:51 ExitAddress 193.218.118.140 2020-09-28 12:39:45 ExitAddress 185.220.101.199 2020-09-28 05:45:20 ExitAddress 85.248.227.165 2020-09-28 00:42:28 ExitAddress 185.220.101.148 2020-09-27 18:58:16 https://metrics.torproject.org/rs.html#search/185.220. niftybunny, Zwiebelfreunde, Digitalcourage & F3Netze help each other but have their machines in different IX. They don't throw their IPs from the separate ASNs onto one machine. ;-) -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom! ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] rerouting exits
On 10/11/20 3:08 PM, nusenu wrote: >> Are your scanners available for others to run? I understand that it is a >> risk that making them public may allow bad exits to avoid them, but is >> it ok if other specific people use and adapt the scanners? > > You don't need to actively perform scans (in the sense of establishing > circuits) > to detect rerouting exits, onionoo provides you with the required data: > OR IP: > https://metrics.torproject.org/onionoo.html#details_relay_or_addresses > Exit IPs: > https://metrics.torproject.org/onionoo.html#details_relay_exit_addresses I meant the code for your other scans. We have my original scanner (part of torflow repo), and one phw wrote, and another set of onion service attack scanners. TPI might consider also running your scanners in addition to or instead of some of these. Plus more people running scanners may mean faster results and easier result confirmation... Though, this is subject to obvious issues with this being an arms race, if scans are discovered, of course. I also agree with your ticket about the time rotation feature. And I'm not sure we should necessarily publish this info anymore. I think this and similar ideas should be explored. We're trying to figure out how to put it all together into an approach that makes sense. -- Mike Perry signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] BadExit: Rerouting exit relays detected (1) 45.63.11.98
On Sun, Oct 11, 2020 at 01:39:17PM -0500, Mike Perry wrote: > > I believe I can tell rerouting exits from exits having distinct IPs for > > inbound and outbound connections - in most cases. > > Are your scanners available for others to run? I understand that it is a > risk that making them public may allow bad exits to avoid them, but is > it ok if other specific people use and adapt the scanners? Right, in this particular case, we already run a scanner which provides public output: it's the tordnsel scanner, and check out https://check.torproject.org/exit-addresses So what we are missing still is (a) a human to go through that list periodically to look for exits that have weirdly too many exit addresses, especially addresses that overlap with other exits, and then (b) somebody to automate the process that that human uses. In the 'bad exit finding' world, we've had problems in the past with false positives, where some automated tool spams us with "possible" problem relays and we quickly learn that ignoring those reports is the best use of our time. So as we try to automate this one, I'd be a fan of putting the detection threshold quite high, so when we trigger on a relay and escalate to the humans, it's because we're quite confident there's something that needs action. > >> Remember that our directory authorities are deliberately independent > >> from TPI though, and even what I think is not necessarily what TPI > >> thinks. The dirauths may have different opinions. Coordinating policy of > >> this nature is difficult and requires consensus building. > > > > Since dir auths have been removing these kinds of relays, I don't think > > there > > is any policy change necessary. > > Ok great! Sometimes I am surprised by their decisions, and I didn't see > this one. Right. This one's an easy choice, because not only is it wasteful as you say, it is also a way that somebody can sign up an exit relay to look at traffic without needing to actually be the exit for that traffic. --Roger ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] support for exit IP ranges on exit relays
> I am losing patience with the "let's play nice and let exit IP addresses > be predictable" model... I'd like to see: add support for multiple OutboundBindAddressExit IP(ranges) https://gitlab.torproject.org/tpo/core/tor/-/issues/26646 (the time based approached mentioned towards the end) signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] rerouting exits
> Are your scanners available for others to run? I understand that it is a > risk that making them public may allow bad exits to avoid them, but is > it ok if other specific people use and adapt the scanners? You don't need to actively perform scans (in the sense of establishing circuits) to detect rerouting exits, onionoo provides you with the required data: OR IP: https://metrics.torproject.org/onionoo.html#details_relay_or_addresses Exit IPs: https://metrics.torproject.org/onionoo.html#details_relay_exit_addresses signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] BadExit: Rerouting exit relays detected (1) 45.63.11.98
On 10/11/20 1:17 PM, nusenu wrote: >> I am losing patience with the "let's play nice and let exit IP addresses >> be predictable" model... We are not being treated well by the banhammer >> brigade, and it might be time to flip some tables. I would not call >> simply using a different exit IP than your relay's OR port a bad exit. > > I'm not calling exit relays using distinct IPs or inbound (OR) and outbound > connections "BadExits" either, quite the opposite, all exits should be using > https://2019.www.torproject.org/docs/tor-manual.html.en#OutboundBindAddressExit > if they have spare IPs. > That is why I implemented and automated that configuration in relayor. Ok that sounds reasonable. Thanks! > I believe I can tell rerouting exits from exits having distinct IPs for > inbound and outbound connections - in most cases. Are your scanners available for others to run? I understand that it is a risk that making them public may allow bad exits to avoid them, but is it ok if other specific people use and adapt the scanners? >> Remember that our directory authorities are deliberately independent >> from TPI though, and even what I think is not necessarily what TPI >> thinks. The dirauths may have different opinions. Coordinating policy of >> this nature is difficult and requires consensus building. > > Since dir auths have been removing these kinds of relays, I don't think there > is any policy change necessary. Ok great! Sometimes I am surprised by their decisions, and I didn't see this one. -- Mike Perry signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] BadExit: Rerouting exit relays detected (1) 45.63.11.98
> I am losing patience with the "let's play nice and let exit IP addresses > be predictable" model... We are not being treated well by the banhammer > brigade, and it might be time to flip some tables. I would not call > simply using a different exit IP than your relay's OR port a bad exit. I'm not calling exit relays using distinct IPs or inbound (OR) and outbound connections "BadExits" either, quite the opposite, all exits should be using https://2019.www.torproject.org/docs/tor-manual.html.en#OutboundBindAddressExit if they have spare IPs. That is why I implemented and automated that configuration in relayor. I believe I can tell rerouting exits from exits having distinct IPs for inbound and outbound connections - in most cases. > Remember that our directory authorities are deliberately independent > from TPI though, and even what I think is not necessarily what TPI > thinks. The dirauths may have different opinions. Coordinating policy of > this nature is difficult and requires consensus building. Since dir auths have been removing these kinds of relays, I don't think there is any policy change necessary. signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] BadExit: Rerouting exit relays detected (1) 45.63.11.98
On 10/11/20 10:20 AM, nusenu wrote: > Thanks for the report, I have forwarded it for removal. > > li...@for-privacy.net: >> Wtf, this exit has addresses that do not belong to it! >> https://metrics.torproject.org/rs.html#details/385527185E26937D05E0933DD29FF1699056CAF3 > > Yes, rerouting exit traffic is a practice we have observed in the past. > > BadExit: Rerouting exit relays detected (1) > The following exit relays are routing their traffic back into the tor network: > --- > nickname: exitnew > First seen: 2020-09-25 12:00:00 > Consensus weight: 1410 > AS: Choopa, LLC > OR IP address: 45.63.11.98 > Exit addresses: 185.140.53.7 185.220.101.207 45.154.35.219 45.63.11.98 > 51.158.111.157 > https://atlas.torproject.org/#details/385527185E26937D05E0933DD29FF1699056CAF3 > > > >> I'm very sure there are only nifty rabbits on the 185.220.101.0/24 subnet! > > niftybummy has relays outside of 185.220.101.0/24 I am losing patience with the "let's play nice and let exit IP addresses be predictable" model... We are not being treated well by the banhammer brigade, and it might be time to flip some tables. I would not call simply using a different exit IP than your relay's OR port a bad exit. However, re-routing exit traffic back into Tor like this is not the answer. It is simply wasteful. I am in favor of delisting such relays. Remember that our directory authorities are deliberately independent from TPI though, and even what I think is not necessarily what TPI thinks. The dirauths may have different opinions. Coordinating policy of this nature is difficult and requires consensus building. Again, I understand your frustration. -- Mike Perry signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] BadExit: Rerouting exit relays detected (1) 45.63.11.98
Thanks for the report, I have forwarded it for removal. li...@for-privacy.net: > Wtf, this exit has addresses that do not belong to it! > https://metrics.torproject.org/rs.html#details/385527185E26937D05E0933DD29FF1699056CAF3 Yes, rerouting exit traffic is a practice we have observed in the past. BadExit: Rerouting exit relays detected (1) The following exit relays are routing their traffic back into the tor network: --- nickname: exitnew First seen: 2020-09-25 12:00:00 Consensus weight: 1410 AS: Choopa, LLC OR IP address: 45.63.11.98 Exit addresses: 185.140.53.7 185.220.101.207 45.154.35.219 45.63.11.98 51.158.111.157 https://atlas.torproject.org/#details/385527185E26937D05E0933DD29FF1699056CAF3 > I'm very sure there are only nifty rabbits on the 185.220.101.0/24 subnet! niftybummy has relays outside of 185.220.101.0/24 -- https://mastodon.social/@nusenu signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Is this next bad exit trick?
Wtf, this exit has addresses that do not belong to it! https://metrics.torproject.org/rs.html#details/385527185E26937D05E0933DD29FF1699056CAF3 I'm very sure there are only nifty rabbits on the 185.220.101.0/24 subnet! -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom! ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
